From Inksters Solicitors

Tag Archives: Everything DM Limited

October is nearly over and I am only now getting round to looking at the Information Commissioner’s data protection and privacy enforcement from September. As with most months, many of the key points drawn from September’s enforcement action will be familiar to regular reads of this feature. However, they are evidently worth repeating.

Key Points

Once again, it is clear that organisations engaged in direct marketing where they have obtained contact details from third parties are not carrying out sufficient due diligence checks on the data that is received by them. It is not going to be enough to simply rely upon an assurance from the supplier that all the contact details comply with the law; the recipient organisation needs to check this for themselves. Often the agreement that is obtained from the ultimate intended recipient of the marketing communications is not specific enough to enable the intended marketing to be undertaken lawfully. For example, these agreements often simply refer to “carefully selected partners” (or words of similar effect) – this is not specific enough and should not be relied upon.

The right of subject access is a fundamental right afforded to data subjects and data controllers should therefore ensure that they have in place sufficient processes to ensure that they can comply with subject access requests within the required time (one month under the GDPR). Data controller should also ensure that they have in place adequate resources (including resilience) to meet the tight deadlines.

It is important that organisations have in place processes to stop bulk extraction of personal data (where bulk extraction would not be legitimately required) or to ensure that unauthorised bulk extraction is either not able to take place or be spotted quickly when it has taken place. It is important that systems which contain personal data are monitored to identify unusual or suspicious activity.

Data Protection and Privacy Enforcement from September 2018

Everything DM LimitedEverything DM Limited was served with an Enforcement Notice [pdf] together with a monetary penalty in the amount of £60,000 [pdf]. The Commissioner found that Everything DM Limited had been responsible for the sending of 1.42 million E-mails without having in place appropriate consent, contrary to the requirements of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). The commissioner’s investigation revealed that EDML relied on the consent of third parties but didn’t take reasonable steps to make sure the data complied with the requirements of PECR.

London Borough of LewishamThe Information Commissioner’s Office issued an Enforcement Notice to the London Borough of Lewisham council in respect of its outstanding subject access requests [pdf]. As at 29 March 2018, the council had a backlog of 113 unanswered subject access requests; including one request that was made to the council as far back as 2013. The Council had in place a recovery plan to eliminate the backlog by 31 July 2018, but it failed to meet that deadline. The notice records that there were still 19 requests that pre-dated the 25th May 2018. The Commissioner’s office considered that the Council had breached principles 6 and 7 and that the breach was one that was likely to cause distress to data subjects. The Council was required by the Notice to comply with the subject access requests by 15 October 2018.

ProsecutionsA former nurse at Southport and Ormskirk Hospital NHS Trust was prosecuted by the Information Commissioner’s Office after she unlawfully accessed patient’s records. The nurse accessed patients’ medical records outside of her role; in particular she inappropriately accessed the records of 5 patients, 17 times. The nurse admitted offences under section 55 of the Data Protection Act 1998 and was fined £400. She was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £40.